Google only repriced elliptic-curve cryptography in its latest quantum disclosure. The algorithm did not change, the attack economics did.
The operational cost to break ECDLP-256 fell by roughly 20x in physical-qubit requirements.
Google presented two Shor circuits for ECDLP-256, each below 1,450 logical qubits, with execution times measured in minutes on a superconducting architecture around 500,000 physical qubits.
The story is narrower and deeper than most coverage suggests.
Google frames the disclosure through authenticity infrastructure, prioritizing post-quantum migration for digital signatures on a 2029 timeline.
Elliptic-curve signatures became the default because the footprint worked. Firmware updates, hardware attestation, and embedded systems all benefited from compact keys and efficient verification under tight resource constraints.
The design was elegant precisely because it fit the operational boundary of its era. Once the cost to attack drops below a certain threshold, that elegance stops mattering. The security horizon moves whether the ecosystem is ready or not.
The 500,000 physical qubit estimate still sits far above current deployed counts. Google Willow operates around 105 physical qubits, so the gap is real and the capability is not imminent.
What makes the 2029 planning horizon defensible anyway is that "harvest now, decrypt later" attacks are already in motion for long-lived key material, and chain-of-trust migrations across live infrastructure take years by default.
The operational lead time is the threat, not the qubit count.
Which is why Google's response deserves more scrutiny than it has received. The chain-of-trust framing in Android 17 is the actual disclosure. Native ML-DSA support in Keystore and hybrid classical-plus-PQC signing for APKs are not a library swap.
Every verifier, signer, and update channel built around ECC now has to absorb a signature family with different operational properties across live systems. Firmware verifiers, hardware security modules, and software distribution pipelines all have to migrate in coordination, and none of them can tolerate trust breaks during transition.
The engineering burden falls on "coordinated, simultaneous verification uplift" across stacks that were never designed to be upgraded together.
The most interesting part of this disclosure may be the disclosure method itself. Google published a zero-knowledge proof that lets third parties verify the resource estimates without revealing the attack circuits. Even communicating "the cost dropped" now creates a cryptographic design problem. The proof has to be strong enough to compel migration, but constrained enough not to function as an operator manual. That is a legitimately hard calibration problem, and I suspect "ZK-verified threat disclosure" becomes the standard pattern for responsible quantum research going forward. How you bound the information hazard of the disclosure itself, without undermining its credibility, is a protocol design question the space has not formalized yet.
Cryptography is no longer optimizing only for compactness and efficiency. The new optimization target is migration throughput and verifier agility. ECC fit the old operational boundary. Google just showed the boundary is moving, and published a cryptographic object to prove it.